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Abstract — Availability  of  service  in  many  wireless  networks  depends  on  the  ability  for  network  users  to  establish  and  maintain 
communication  channels  using  control  messages  from  base  stations  and  other  users.  An  adversary  with  knowledge  of  the  underlying 
communication  protocol  can  mount  an  efficient  denial  of  service  attack  by  jamming  the  communication  channels  used  to  exchange 
control  messages.  The  use  of  spread  spectrum  techniques  can  deter  an  external  adversary  from  such  control  channel  jamming 
attacks.  However,  malicious  colluding  insiders  or  an  adversary  who  captures  or  compromises  system  users  are  not  deterred  by  spread 
spectrum,  as  they  know  the  required  spreading  sequences.  For  the  case  of  internal  adversaries,  we  propose  a  framework  for  control 
channel  access  schemes  using  the  random  assignment  of  cryptographic  keys  to  hide  the  location  of  control  channels.  We  propose  and 
evaluate  metrics  to  quantify  the  probabilistic  availability  of  service  under  control  channel  jamming  by  malicious  or  compromised  users 
and  show  that  the  availability  of  service  degrades  gracefully  as  the  number  of  colluding  insiders  or  compromised  users  increases.  We 
propose  an  algorithm  called  GUIDE  for  the  identification  of  compromised  users  in  the  system  based  on  the  set  of  control  channels  that 
are  jammed.  We  evaluate  the  estimation  error  using  the  GUIDE  algorithm  in  terms  of  the  false  alarm  and  miss  rates  in  the  identification 
problem.  We  discuss  various  design  trade-offs  between  robustness  to  control  channel  jamming  and  resource  expenditure. 

Index  Terms — Wireless  multiple  access,  Control  channel  jamming,  Security,  Node  capture  attacks,  Probabilistic  metrics. 
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1  Introduction 

FFICIENT  communication  in  mobile  networks  re¬ 
quires  the  use  of  multiple  access  protocols  allowing 
mobile  users  to  share  the  wireless  medium  by  separat¬ 
ing  user  data  in  any  combination  of  time,  frequency, 
signal  space,  and  physical  space.  The  entire  class  of 
multiple  access  can  thus  be  described  by  the  unifying 
framework  of  orthogonal  frequency  division  multiple 
access  (OFDMA)  [2].  Allocation  of  access  and  resources 
to  mobile  users  must  be  periodically  updated  in  order 
to  maintain  the  efficiency  of  the  multiple  access  protocol 
when  base  station  group  membership,  user  demands, 
and  wireless  channel  conditions  are  dynamic.  Hence, 
there  is  a  necessary  overhead  involved  in  the  multiple 
access  protocol  to  handle  the  resource  allocation  to  users. 
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This  overhead  often  takes  the  form  of  control  messages 
exchanged  between  mobile  users  and  base  stations. 

In  many  systems,  dedicated  channels  are  established 
for  the  exchange  of  control  messages.  These  control 
channels  can  be  used  for  a  wide  variety  of  functions, 
from  topological  information  propagation  for  network 
routing  to  access  control  in  subscription  services.  In  a 
cellular  system  such  as  GSM  [3],  [4],  [5],  for  example, 
base  stations  and  mobile  users  must  coordinate  over  a 
variety  of  control  channels  in  order  to  perform  access 
control,  traffic  channel  allocation,  and  inter-cell  user 
handoff.  Control  channels  thus  serve  as  a  platform  on 
which  higher-level  protocol  functionality  is  supported 
and,  hence,  as  critical  points  of  failure  that  can  be 
targeted  by  a  malicious  adversary  in  a  denial  of  service 
(DoS)  attack  [6]. 

An  adversary  with  knowledge  of  the  underlying  chan¬ 
nel  access  protocol  can  perform  a  DoS  attack  against  in¬ 
dividual  users  or  local  neighborhoods  in  the  mobile  net¬ 
work  by  jamming  the  communication  channels.  More¬ 
over,  if  the  access  protocol  uses  a  fixed  pre-determined 
schedule  for  data  and  control  messages,  allowing  the 
adversary  to  distinguish  between  channels  for  data  and 
control  messages,  a  control  channel  jamming  attack  focus¬ 
ing  only  on  the  control  channels  can  be  mounted  with 
energy  savings  of  several  orders  of  magnitude  less  than 
that  required  to  jam  all  communication  channels  [7]. 
The  use  of  jamming-resistant  communication  protocols 
such  as  Direct  Sequence  Spread  Spectrum  (DSSS)  or 
Frequency  Hopping  Spread  Spectrum  (FHSS)  [2],  [4] 
introduce  pseudo-randomness  into  the  access  schedule 
by  keeping  the  spreading  or  hopping  sequences,  re- 

Published  by  the  IEEE  Computer  Society 


Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 
VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 
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spectively,  unknown  to  the  adversary.  It  was  noted  in 
[8]  that  the  effect  of  DSSS  and  FHSS  may  be  further 
improved  by  using  cryptographic  primitives.  Alterna¬ 
tive  anti-jamming  techniques  include  the  use  of  random 
channel  surfing  [9]  to  randomly  hop  away  from  jammed 
channels  and  re-synchronize  on  available  channels  and 
the  use  of  wormholes  [10]  to  create  a  channel  for  reports 
or  alarms  from  a  jammed  region. 

The  above-mentioned  anti-jamming  techniques  con¬ 
sider  jamming  attacks  by  an  external  adversary  and  are 
not  intended  to  mitigate  jamming  by  valid  network  in¬ 
siders.  A  set  of  malicious  colluding  users  or  an  adversary 
who  captures  or  subverts  network  users  in  a  node  capture 
attack  [11],  potentially  inserting  replicated  or  fabricated 
devices  into  the  system  [12],  is  able  to  bypass  the  anti¬ 
jamming  techniques  above  by  assuming  the  collective 
roles  of  the  compromised  users  in  the  network.  For 
example,  a  set  of  malicious  colluding  users  can  use  the 
available  DSSS  or  FFISS  sequences  to  perform  an  efficient 
jamming  attack  that  follows  the  corresponding  pseudo¬ 
random  sequence  as  though  it  is  a  fixed  schedule.  An 
access  protocol  which  gives  the  same  information  to  all 
network  users  is  thus  ineffective  against  DoS  attacks  by 
internal  adversaries,  as  a  malicious  insider  has  the  ability 
to  perform  any  task  of  a  valid  user.  Flence,  solutions  to 
prevent  or  mitigate  control  channel  jamming  attacks  by 
malicious  insiders  must  make  use  of  the  following  prop¬ 
erties.  First,  multiple  distinct  pseudo-random  sequences 
must  exist  and  be  held  by  different  users.  Second,  the  set 
of  distinct  sequences  should  exhibit  a  degree  of  cover- 
freeness  [13]  in  that  at  least  one  of  the  sequences  of 
each  user  should  be  different  from  the  union  of  the  set 
of  sequences  held  by  malicious  colluding  users  with  a 
non-negligible  probability  to  ensure  collusion  resistance. 
Finally,  the  total  number  of  pseudo-random  sequences 
should  scale  favorably  as  the  number  of  users  increases, 
suggesting  that  there  exist  trade-offs  between  the  cover- 
free  property  and  the  resource  efficiency  of  the  protocol. 

We  thus  approach  the  problem  of  designing  control 
channel  access  schemes  which  allow  for  efficient  recep¬ 
tion  of  control  messages  while  maintaining  a  degree  of 
independence  between  the  hopping  sequences  held  by 
different  users.  In  this  work,  we  focus  our  attention  on 
designing  schemes  which  are  robust  to  control  channel 
jamming  attacks  by  malicious  colluding  insiders  or  com¬ 
promised  users. 

1.1  Problem  Statement  and  Contributions 

In  this  article,  we  develop  a  framework  for  control 
channel  access  schemes  that  are  robust  to  control  channel 
jamming.  Furthermore,  we  provide  techniques  for  ran¬ 
dom  allocation  of  control  channels  to  users  which  yields 
graceful  performance  degradation  as  the  number  of  compro¬ 
mised  users  increases.  Our  contributions  are  summarized 
as  follow. 

•  We  develop  a  correspondence  between  the  problems 
of  key  establishment  and  control  channel  access  in 
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wireless  networks  and  develop  a  framework  for 
control  channel  access  schemes  providing  proba¬ 
bilistic  availability  of  control  messages  using  ran¬ 
dom  key  assignment. 

•  We  propose  metrics  of  resilience  and  delay  to 
quantify  the  probabilistic  availability  of  service  and 
the  quality  of  provided  service,  respectively,  under 
control  channel  jamming  attacks.  We  evaluate  the 
proposed  metrics  by  extending  existing  results  for 
resilience  to  node  capture  in  wireless  networks. 

•  We  propose  techniques  for  the  identification  and 
revocation  of  compromised  users  by  the  service 
provider  or  a  trusted  authority  that  need  not  be 
constantly  on-line.  We  formulate  the  identification 
problem  as  a  maximum  likelihood  estimation  prob¬ 
lem  and  provide  greedy  heuristic  algorithms  using 
information  available  to  the  service  provider.  We 
evaluate  the  identification  algorithm  by  approximat¬ 
ing  the  false  alarm  and  miss  rates  under  the  greedy 
algorithms. 

•  We  provide  a  simulation  study  to  demonstrate 
trade-offs  that  exist  between  robustness  to  control 
channel  jamming  and  resource  expenditure  which 
result  from  the  use  of  random  key  assignment  pro¬ 
tocols,  serving  as  a  foundation  for  the  design  of 
control  channel  access  schemes. 

The  remainder  of  this  paper  is  organized  as  follows. 
In  Section  2,  we  state  our  assumptions  about  the  control 
channel  access  model,  adversary,  and  trusted  authority. 
In  Section  3,  we  present  a  framework  for  probabilistic 
control  channel  access  schemes.  In  Section  4,  we  propose 
and  evaluate  metrics  of  resilience  and  delay  to  charac¬ 
terize  the  availability  of  service  under  control  channel 
jamming.  In  Section  5,  we  formulate  the  identification  of 
compromised  users  as  a  statistical  estimation  problem 
and  analyze  the  estimation  error  in  terms  of  the  false 
alarm  and  miss  rates.  In  Section  6,  we  provide  simulation 
results  and  discuss  design  and  implementation  trade¬ 
offs.  Section  7  presents  our  conclusions  and  discussion 
of  future  work. 

2  Model  Assumptions 

In  this  section,  we  state  the  assumed  models  for  the 
multiple  access  protocol  and  control  message  structure, 
adversary,  and  service  provider  or  trusted  authority.  We 
provide  a  summary  of  the  notation  used  throughout  this 
work  in  Table  1. 

2.1  Control  Message  Access  Model 

We  describe  the  multiple  access  protocol  in  terms  of  the 
OFDMA  framework  [2]  with  separation  of  signals  over 
orthogonal  carrier  signals  and  in  time  as  follows.  We 
let  'T  =  {^0)  •  •  • ,  ipM-i}  denote  the  set  of  M  orthogonal 
carriers  used  for  wireless  communication.  We  assume 
that  time  is  slotted  and  that  an  initial  portion  of  each 
time  slot  is  dedicated  to  control  messages.  Since  we  are 
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TABLE  1 

A  summary  of  notation  is  provided. 


Symbol 

Definition 

U,  B 

Set  of  U  users,  B  base  stations 

P 

Number  of  time  slots  in  the  reuse  period 

ICt 

Set  of  channel  identifiers,  or  keys,  for  time  slot  t 

qt 

Number  of  control  channels  in  time  slot  t,  \ICt\ 

Ktu 

Subset  of  ICt  assigned  to  user  u 

mt 

Number  of  keys  per  user  in  time  slot  t,  \ICtu\ 

C,c 

Set  and  number  of  compromised  users,  c  =  |C| 

Ktc 

Subset  of  ICt  held  by  C 

Jt 

Subset  of  ICtc  corresponding  to  jammed  channels 

9t 

Probability  that  each  key  k  G  ICtc  is  added  to  Jt 

rt(c) 

Slot  resilience  for  time  slot  t 

r(c) 

Resilience  to  control  channel  jamming 

dt(c) 

Initial-slot  delay  for  time  slot  t 

d(c) 

Delay  due  to  control  channel  jamming 

C 

Estimate  of  set  C  of  compromised  users 

He) 

False  alarm  rate  in  the  estimate  C  of  C 

M(c) 

Miss  rate  in  the  estimate  C  of  C 

focusing  on  the  availability  of  control  messages  in  this 
article,  we  ignore  the  portion  of  each  time  slot  dedicated 
to  data.  We  further  partition  each  time  slot  t  into  S  sub¬ 
slots  with  duration  sufficient  to  transmit  a  single  control 
message.  Each  control  channel  is  thus  specified  by  the 
time  slot  t,  the  sub-slot  index  s  G  S  1 },  and  the 

carrier  index  j  G  {0, . . ... ,  M  —  1}  into  the  set  T. 

We  let  B  denote  the  set  of  B  base  stations  present  in 
the  network.  Each  base  station  b  G  B  holds  the  set  Kt  of 
qt  =  \K.t\  control  channel  identifiers,  each  corresponding  to 
a  control  channel  in  time  slot  t.  The  sub-slot  index  s  and 
carrier  index  j  corresponding  to  each  identifier  kt  G  Kt 
are  computed  using  the  control  channel  locator  function  f, 
assumed  to  be  publicly  known.  We  let  U  denote  the  set 
of  U  mobile  users  in  the  network  and  assume  that  each 
user  u  G  U  is  within  range  of  at  least  one  base  station. 
Any  user  u  GU  holding  the  identifier  kt  G  Kt  can  locate 
the  corresponding  control  channel  using  the  function 
/.  We  let  Kt u  denote  the  subset  of  Kt  held  by  user  u. 
We  assume  that  each  control  message  received  over  the 
channel  identified  by  kt  carries  information  relevant  to 
all  users  in  U  holding  kt-  This  access  model  is  expanded 
in  detail  in  Section  3.2. 

2.2  Adversarial  Model 

We  consider  two  types  of  adversaries.  First,  when  mali¬ 
cious  insiders  collude  under  the  described  control  chan¬ 
nel  access  structure,  they  can  jam  any  control  channel 
which  can  be  located  using  the  control  channel  identi¬ 
fiers  they  possess.  Second,  an  adversary  who  captures 
or  subverts  system  users  and  assumes  their  identities  in 
the  network  can  jam  control  channels  using  identifiers 
acquired  from  compromised  users.  We  let  C  C  U  denote 
the  set  of  compromised  users,  either  colluding  insiders  or 
those  captured  by  an  adversary.  For  each  time  slot  t,  we 
let  Ktc  denote  the  subset  of  Kt  collectively  held  by  the 


compromised  users,  i.e.  Ktc  =  IJ„  -e  ^tu-  Furthermore, 
we  let  Jt  denote  the  subset  of  Ktc  corresponding  to 
control  channels  in  time  slot  t  that  are  jammed  by 
compromised  users. 

The  case  that  insiders  expose  their  identifiers  to  each 
other  and  collaboratively  choose  the  subset  Jt  is  equiv¬ 
alent  to  that  of  an  adversary  in  control  of  multiple  com¬ 
promised  users.  Alternatively,  malicious  insiders  may 
independently  choose  contributions  to  the  overall  subset 
Jt,  suggesting  that  the  probability  that  each  key  kt 
is  included  in  Jt  may  increase  with  the  number  of 
compromised  users  \C\.  We  let  6t  denote  the  probability 
that  each  identifier  kt  G  Ktc  is  included  in  Jt,  noting  that 
6t  may  be  a  function  of  \C\.  In  this  work,  we  assume  that 
identifiers  in  Ktc  are  added  to  Jt  independently  with 
probability  Qtl. 

2.3  Trusted  Authority 

We  assume  that  a  trusted  authority2  (TA)  is  responsible 
for  the  assignment  and  update  of  control  channel  identi¬ 
fiers  to  users  in  U  and  the  identification  and  revocation 
of  compromised  users  in  the  network.  We  assume  that 
the  TA  keeps  a  record  of  the  sets  Ktu  for  each  user 
u  G  U  and  time  slot  t  and  can  detect  jammed  control 
channels  without  error,  thus  recovering  the  set  Jt  for 
each  t.  By  comparing  the  collections  of  sets  Ktu  and 
Jt  for  various  time  slots,  the  TA  can  determine  a  set 
C  of  suspected  jammers  to  eliminate  from  the  network. 
For  each  time  slot  t,  the  set  of  identifiers  Kf-  C  Kt  are 
removed  from  Kt  and  replaced  with  fresh  identifiers. 
Any  user  u  G  U  \  C  holding  an  identifier  in  Kf',  is 
assigned  the  corresponding  fresh  identifiers.  We  assume 
that  a  mechanism  for  secure  key  refresh  exists  and  do  not 
further  address  the  key  refreshing  protocol  in  this  article. 
We  note  that,  unless  the  estimation  C  of  C  is  perfect, 
which  is  unlikely  given  the  intelligent  adversary  model, 
it  is  possible  that  valid  users  in  U\C  will  be  eliminated 
from  the  network  or  that  compromised  users  in  C  who 
participate  in  control  channel  jamming  may  not  appear 
in  C  as  suspected  jammers. 

Our  approach  does  not  require  constant  presence  of 
the  TA  to  oversee  the  network.  In  fact,  the  TA  may  only 
be  available  occasionally  to  perform  the  identification 
and  elimination  steps  by  recording  jamming  evidence 
Jt,  computing  the  set  C  of  suspected  jammers,  and  re¬ 
freshing  the  control  channel  identifiers  for  the  remaining 
users  in  U  \  C.  When  the  adversary  compromises  system 
users  over  an  extended  duration  of  time,  the  random 
or  deterministic  identification  interval  between  successive 
identification  steps  by  the  TA  impacts  the  total  number 
of  compromised  users  \C\  for  a  given  identification  step 
and  the  ability  for  the  TA  to  identify  those  users  with 
the  estimate  C. 

1.  This  assumption  is  information-theoretically  minimal  in  that  the 
entropy  of  the  set  Jt  is  maximized  for  a  given  0t  [14], 

2.  The  TA  can  be  a  service  provider  or  a  subset  of  the  base  stations 
in  13,  for  example. 
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3  Random  Key  Assignment  Framework 
for  Control  Channel  Access 

In  this  section,  we  develop  a  correspondence  between 
the  problems  of  control  channel  access  and  symmet¬ 
ric  key  assignment.  We  show  that  efficient  and  robust 
control  channel  access  can  be  provided  using  random 
key  assignment,  yielding  a  framework  for  probabilistic 
control  channel  access  schemes. 

3.1  Problem  Mapping 

We  provide  a  one-to-one  mapping  between  control  chan¬ 
nel  access  for  multiple  users  in  a  single  time  slot  and  the 
assignment  of  symmetric  keys  to  network  nodes  for  use 
in  cryptographic  protocols.  The  mapping  is  formalized 
by  constructing  a  bipartite  graph  [15]  which  uniquely 
maps  between  control  channel  access  schemes  and  sym¬ 
metric  key  assignment  schemes. 

For  a  given  time  slot  t,  let  Gt  =  (U  U  B ,  JCt,  Et)  be  a 
bipartite  graph  with  left  vertex  set  U  U  B,  right  vertex 
set  K,t,  and  edge  set  £t  C  (U  U  B)  x  /Ct.  The  edge  (u,  kt) 
for  u  G  U  is  in  Et  if  and  only  if  kt  G  /Ctu,  so  u  can 
compute  the  corresponding  channel  location  using  the 
locator  function  /.  A  user  u  G  U  can  receive  control 
messages  from  a  base  station  b  G  B  if  and  only  if 
(b,kt)  G  Et  and  ( u,kt )  G  Et.  Any  compromised  user 
w  G  C  that  also  holds  the  identifier  kt  can  compute 
the  channel  location  using  the  locator  function  /,  so  the 
channel  can  be  jammed  if  and  only  if  there  is  at  least 
one  such  user  w  G  C  such  that  (w,  kt)  G  Et. 

The  bipartite  graph  Gt  constructed  above  is  next 
used  to  uniquely  construct  a  symmetric  key  assignment 
scheme  used  to  establish  secure  communication  in  a 
wireless  network.  Let  ICt  be  a  set  of  symmetric  cryp¬ 
tographic  keys  [16],  and  let  TV"  =  U  U  B  represent  the 
set  of  network  nodes.  For  each  kt  G  JCtr  assign  the  key 
kt  to  node  nGJVif  and  only  if  (n,  kt)  G  Et.  A  pair  of 
nodes  ni,  ri2  G  TV"  can  communicate  securely  if  and  only 
if  there  exists  at  least  one  key  kt  G  K',f  such  that  both 
(ni,  kt)  G  Et  and  (n2,kt)  G  Et.  If  the  key  kt  is  held  by  any 
compromised  node  w  G  C,  the  communication  between 
m  and  n-2  is  insecure  against  attacks  by  the  adversary 
(e.g.  eavesdropping  on  encrypted  messages).  Hence,  the 
secure  link  is  compromised  if  and  only  if  there  is  one 
such  user  w  G  C  such  that  (w,  kt)  G  Et. 

The  bipartite  graph  Gt  thus  provides  a  one-to-one 
correspondence  between  control  channel  access  schemes 
and  symmetric  key  assignment  schemes3.  Hence,  key 
assignment  solutions  that  provide  secure  communication 
which  is  robust  to  node  capture  attacks  can  be  used  to 
design  control  channel  access  schemes  which  are  resilient 

3.  We  note  that,  by  assumption,  each  left  node  b  £  B  is  joined  to 
all  right  nodes  kt  G  ICt,  though  the  mapping  holds  regardless  of  this 
assumption,  suggesting  a  natural  extension  of  the  problem  in  which 
each  base  station  b  is  assigned  a  subset  of  Kt  instead  of  the  entire 
set.  Alternatively,  the  mapping  allows  for  modeling  of  the  case  in 
which  base  stations  are  not  present  and  the  users  organize  in  an  ad-hoc 
manner.  These  extensions  are  not  addressed  in  this  article. 
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to  control  channel  jamming  attacks  by  compromised 
users. 

3.2  Random  Assignment  of  Control  Channel  Keys 

Using  the  mapping  in  Section  3.1,  we  make  use  of  the 
symmetric  key  assignment  model  in  [17]  to  provide  a 
framework  for  probabilistic  control  channel  access  using 
random  key  assignment.  The  proposed  framework  can 
then  be  used  to  design  control  channel  access  schemes 
which  are  robust  to  jamming  by  compromised  users.  For 
the  remainder  of  this  article,  we  use  the  term  control  chan¬ 
nel  key  interchangeably  with  control  channel  identifier. 

As  discussed  in  Section  1,  a  control  channel  access 
scheme  is  only  robust  to  control  channel  jamming  by 
compromised  users  if  a  user  holds  keys  that  are  not 
held  by  any  compromised  user  with  high  probability. 
Due  to  fact  that  any  users  in  U  can  be  compromised,  it 
is  necessary  to  impose  a  degree  of  disparity  between  the 
sets  ICtu  of  assigned  keys.  This  necessary  disparity  is  seen 
by  noting  that  if  all  sets  /Q„  are  equal,  for  example  when 
all  users  share  a  single  global  key,  a  single  compromised 
user  can  jam  all  control  messages.  However,  increasing 
the  diversity  of  keys  assigned  to  different  users  implies 
that  the  total  number  of  keys  qt  for  each  time  slot  t  must 
increase.  Increasing  the  number  of  keys  qt  in  time  slot 
t  further  implies  that  the  key  storage  and  the  number 
of  control  messages  transmitted  by  each  base  station 
in  time  slot  t  increase.  Hence,  inherent  trade-offs  exist 
between  the  robustness  to  control  channel  jamming  and 
the  efficiency  of  the  protocol  in  terms  of  storage  and 
communication  overhead.  These  trade-offs  are  discussed 
in  Section  6. 

The  random  assignment  of  control  channel  keys  to 
system  users  is  described  as  follows.  For  each  user  u  GW 
and  time  slot  t,  the  subset  JCtu  of  rnt  keys4  is  randomly 
selected  from  JCt  and  assigned  to  u,  independent  of  other 
users  in  U.  The  choice  of  random  key  assignment  is 
motivated  by  the  following  observations.  First,  without 
prior  assumptions  on  the  maximum  number  of  compro¬ 
mised  users,  choosing  the  parameters  of  a  deterministic 
key  assignment  scheme  [7]  may  not  be  possible.  Second, 
the  imposed  structure  of  deterministic  key  assignment 
schemes  may  allow  the  adversary  to  learn  information 
about  the  assignment  of  keys  to  users  other  than  those 
in  C,  as  shown  in  [18].  In  random  key  assignment,  each 
user  is  assigned  keys  independently,  so  the  adversary 
cannot  learn  any  information  about  the  assignment  of 
keys  to  users  other  than  those  in  C. 

To  maintain  finite  key  storage  for  each  user  and  base 
station  and  to  prevent  frequent  re-assignment  of  keys  to 
all  users  in  the  network,  we  adopt  the  periodic  reuse  of 
keys  in  time  slots  such  that  in  any  time  slot  t,  control 
channels  are  located  using  the  keys  in  the  assigned 
subset  K-iu  C  K-t  for  i  =  t  (mod  p).  The  reuse  period  p  is 

4.  The  number  of  assigned  keys  per  time  slot  can  vary  among 
users  as  mtu,  though  we  do  not  address  this  extension  in  this  work. 
Analytical  results  can  be  obtained  using  techniques  in  [18]. 
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Fig.  1 .  A  control  channel  access  scheme  using  random  key  assignment  allows  for  pseudo-random  relocation  of  control 
channels  over  time,  preventing  an  adversary  from  learning  via  correlation.  Each  user  and  base  station  with  a  control 
channel  identifier  fc,;  for  i  =  t  (mod  p)  locates  the  corresponding  control  channel  in  time  slot  t  as  (s,j)  =  f(hi,t), 
where  s  is  a  sub-slot  index  in  slot  t  and  j  is  an  index  into  the  set  \I>  of  carrier  signals. 


thus  a  parameter  in  the  design  of  the  control  channel 
access  scheme.  An  additional  benefit  of  the  finiteness 
constraint  on  the  number  of  distinct  time  slots  is  that  we 
can  construct  the  sets  AC,  for  i  =  0, ....  p  —  1  to  be  pairwise 
disjoint.  Furthermore,  we  assume  that  the  p  subsets  AC,,, 
for  each  user  u  are  independently  selected,  implying  that 
the  probabilistic  availability  of  control  messages  in  each 
time  slot  is  independent. 

A  consequence  of  the  periodic  reuse  of  keys  from  each 
subset  AC,;  is  that  control  channels  will  appear  at  the 
same  location  every  p  time  slots  if  the  locator  function  / 
depends  only  on  the  key  fc,; .  In  this  case,  the  adversary 
may  be  able  to  learn  the  locations  of  control  channels  by 
correlating  transmission  patterns  in  corresponding  time 
slots.  To  prevent  transmission  correlation,  the  locator 
function  /  must  take  an  additional  parameter  to  vary 
the  control  channel  location  in  subsequent  periods.  In 
a  given  time  slot  t  such  that  i  =  t  (mod  p),  the  sub¬ 
slot  index  s  and  carrier  index  j  are  thus  given  by 
(s,j)  =  /(&»,£)•  To  ensure  that  distinct  control  channel 
keys  map  to  distinct  ordered  pairs  (s,j)  with  high  prob¬ 
ability,  the  locator  function  /  can  be  implemented  using 
a  cryptographic  hash  function  [7],  [16].  Fig.  1  illustrates 
the  control  channel  access  scheme. 

A  control  channel  access  scheme  using  random  key 
assignment  is  primarily  dependent  on  the  key  reuse 
period  p,  the  number  of  control  channels  q,  in  each  time 
slot  i  =  0, ...  ,p  —  1,  and  the  number  of  control  channel 
keys  in,  assigned  to  each  user  in  U  for  use  in  each  time 
slot  i  =  0, ...  ,p  —  1.  To  provide  a  basis  for  the  design 
problem,  the  following  sections  evaluate  the  robustness 
to  control  channel  jamming  and  the  ability  to  identify 
and  eliminate  compromised  users  from  the  system. 

4  Availability  of  Control  Messages 
Under  Control  Channel  Jamming 

In  order  to  evaluate  the  effect  of  control  channel  jamming 
by  compromised  users,  we  define  and  evaluate  metrics 


to  quantify  the  probabilistic  availability  of  control  mes¬ 
sages.  We  note  that  users  in  the  proposed  control  channel 
access  scheme  as  outlined  in  Section  3  do  not  exchange 
any  information  about  the  assigned  keys  /C,„,  so  the 
adversary  cannot  obtain  any  deterministic  information 
about  the  key  assignment.  Intelligent  node  capture  at¬ 
tacks  using  the  techniques  proposed  in  [18]  using  such 
information  are  thus  impossible.  Flence,  the  selection  of 
the  subset  C  C  U  of  compromised  users  is  independent 
of  the  key  assignment,  implying  that  the  compromised 
users  are  randomly  selected  by  the  adversary.  We  thus 
define  the  following  metrics  to  measure  the  availability 
of  control  messages  as  a  function  of  the  number  c  =  \C\ 
of  compromised  users,  noting  that  the  proposed  metrics 
are  computed  for  the  average  case. 

Definition  1:  The  slot  resilience  to  control  channel  jam¬ 
ming  by  c  =  \C\  compromised  users  is  the  probability 
rj(c)  that  a  user  in  U  \  C  is  able  to  receive  at  least  one 
control  message  in  time  slot  i. 

Definition  2:  The  resilience  to  control  channel  jamming 
by  c  =  \C\  compromised  users  is  the  probability  r(c)  that 
a  user  in  U  \  C  is  able  to  receive  at  least  one  control 
message. 

Definition  3:  The  initial  slot  delay  due  to  control  channel 
jamming  by  c  =  \C\  compromised  users  is  the  average 
number  of  time  slots  d,(c)  that  a  user  in  U  \  C  must 
wait  to  receive  a  control  message  when  the  initial  access 
attempt  is  made  during  time  slot  i.  As  the  delay  is 
infinite  for  users  with  no  control  channel  availability,  this 
metric  considers  only  those  users  able  to  receive  control 
messages. 

Definition  4:  The  delay  due  to  control  channel  jamming 
by  c  =  \C\  compromised  users  is  the  average  number  of 
time  slots  d(c)  that  a  user  in  U\C  must  wait  to  receive 
a  control  message,  considering  only  those  users  able  to 
receive  control  messages. 

In  the  following  sequence  of  results,  we  evaluate  the 
resilience  and  delay  metrics  using  the  properties  of 
random  control  channel  key  assignment  in  Section  3.2. 
We  first  derive  an  approximation  for  the  slot  resilience 
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r,  (c).  We  then  prove  that  the  resilience  r(c),  initial  slot 
delay  dj(c),  and  delay  die)  can  be  expressed  as  a  function 
of  the  slot  resilience  77(c).  The  following  lemma  provides 
a  necessary  component  in  the  evaluation  of  the  slot 
resilience  77(c). 

Lemma  1:  When  \C\  =  c,  the  probability  PiyC{s)  that 
| ICiu  n  Ji\  =  s  for  any  user  u  G  U  \  C  is  approximated 

38  /  \ 

Pi,c(s) »  (  a’J  (diZi,cy(  1  -  eiZi,c)mi-s 


where  zi<c  . 

Proof:  Let  pc.u  denote  the  probability  for  a  user 
u  G  U  \  C  that  a  particular  key  ki  G  AA„  is  in  J-,. 
Since  Ji  C  /C,c,  pc,«  can  be  expressed  as  the  product 
of  probabilities  Pr[/cj  G  J, \ ki  G  JCic,ki  G  /C,u]  and 
Pr[fc,  G  K,ic\ki  G  The  former  probability  is  equal  to 
9,  by  definition.  The  latter  is  the  probability  that  at  least 
one  of  the  c  compromised  users  shares  the  key  ki  with 
user  u.  Letting  A  (ki)  denote  the  number  of  users  in  U 
holding  the  key  ki  G  /C,  this  probability  is  approximated 
by  [17,  Lemma  6.8]  as  1  —  (j7 >  yielding 


Pc,u  ~ 


^  (u-m) 


a) 


Similar  to  the  result  of  [17,  Theorem  6.9],  the  average  pc 
of  pc,u  over  all  users  u  GU\C  can  be  approximated  by 
replacing  A  (A:*)  by  its  expected  value  yielding  pc  ns 


9iZpc  where 


Zi,c  =  1  - 


(U-IH 

\U- 1 


c 


(2) 


The  probability  z,.c  can  be  approximated  independent  of 
U  by  noting  that  /i,  =  Unii/qi  when  keys  are  assigned 
randomly,  noting  that  the  approximation  holds  with 
equality  in  the  limit  of  large  U.  Since  the  keys  in  AA  are 
assigned  independently,  the  probability  pijC(s)  satisfies  a 
binomial  distribution  corresponding  to  m,  independent 
trials  with  success  probability  pc.  □ 

The  following  theorem  provides  an  approximation  for 
the  slot  resilience  77(c)  using  the  previous  result. 

Theorem  1:  The  slot  resilience  77(c)  is  approximated  as 

Proof:  By  Definition  1,  the  slot  resilience  77(c)  is  equal 
to  the  probability  that  \JClu  fl  Jf\  Y  mi  for  a  user  u  £ 
U  \C.  Hence,  17(c)  =  1  - p^dm),  where  pi|C(s)  is  given 
in  Lemma  1.  □ 

We  next  show  how  the  resilience  r(c)  can  be  computed 
as  a  function  of  the  slot  resilience  77(c)  for  i  =  0, . . .  ,p—  1. 

Theorem  2:  The  resilience  r(c)  can  be  computed  from 
the  slot  resilience  77(c)  for  i  =  0, ...  ,p  —  1  as 


p- 1 

r(c)  =  1  -  l1  -ri(c))  • 

2=0 

Proof  A  user  u  €U\C  can  receive  a  control  message 
in  slot  i  if  and  only  if  K,tu  f  Ji,  an  event  which  occurs 


with  probability  rj(c),  by  Definition  1.  Similarly,  a  user 
u  G  U  \C  can  receive  at  least  one  control  message  in 
at  least  one  slot  if  and  only  if  /C,M  f  Ji  for  at  least 
one  time  slot  i,  an  event  which  occurs  with  probability 
r(c),  by  Definition  2.  The  probability  1  —  r(c)  that  no 
channel  is  available  in  any  slot  is  given  by  the  product  of 
probabilities  (1  —  r* (c))  for  i  =  0, . . .  ,p—  1.  Independence 
of  key  assignment  for  different  time  slots  yields  the 
desired  result.  □ 

We  next  show  how  the  initial  slot  delay  di(c)  and  delay 
d(c)  can  be  expressed  as  a  function  of  the  slot  resilience 
Ti(c).  We  note  that  the  delay  d(c)  can  be  expressed  as 
a  weighted  sum  of  the  initial  slot  delays  djc)  for  i  = 
0 .,p—  1,  where  the  weight  multiplying  each  dfc)  is 
the  probability  that  the  initial  access  attempt  is  made 
at  time  slot  i.  The  probability  distribution  of  delay  die) 
can  thus  be  computed  as  a  function  of  the  probability 
distribution  of  initial  slot  delay  dfc)  for  *  =  0, . . .  ,p  —  1. 
We  provide  the  following  result  to  evaluate  the  latter 
probability  distribution  as  a  function  of  the  slot  resilience 
n{c). 

Theorem  3:  The  probability  distribution  of  di(c)  is 
given  by 

<5-1 

Pr[dj(c)  =  <5]  —  r)iVi+5  mod  p(p)  |  |  (1  ^i+d,  mod  p(.C)) 

d—0 

where  7,  is  a  normalization  constant  to  ensure  the  sum¬ 
mation  over  S  =  0, . . .  ,p  —  1  equals  1. 

Proof:  A  user  must  wait  <5  time  slots  starting  at  slot  i 
if  and  only  if  there  is  no  control  channel  available  in  the 
first  8  time  slots  beginning  at  (and  including)  i  and  there 
is  a  control  channel  available  in  slot  (i+<5  mod  p).  In  each 
time  slot  (i  +  d  mod  p),  the  probability  that  no  control 
channel  is  available  is  the  complement  (1  —  ri+c;  mod  p  (c)) 
of  the  corresponding  slot  resilience.  Independence  of  key 
assignment  for  different  time  slots  yields  the  desired 
result.  □ 

In  the  special  case  of  equal  key  assignment  and  jam¬ 
ming  parameters  for  all  time  slots,  the  resilience  r(c)  and 
the  distribution  of  the  delay  d(c)  can  be  greatly  simpli¬ 
fied.  The  following  results  illustrate  these  simplifications. 

Theorem  4:  When  rri,  =  m,  qi  =  q,  and  0i  =  9  for  all 
i  =  0, . . .  ,p  —  1,  the  resilience  r(c)  is  approximated  as 

Proof:  The  result  follows  directly  from  Theorem  2 
and  Theorem  1.  □ 

Theorem  5:  When  rrii  =  m,  qi  =  q,  and  9i  =  9  for  all 
i  =  0, . . .  ,p—  1,  the  probability  distribution  of  delay  d(c) 
is  given  by 

Pr[d(c)  =  8}  =  (1  -  r0(c))5 

r(c) 

for  8  =  0, . . .  ,p  —  1. 

Proof:  In  the  given  special  case,  the  slot  resilience 
r*(c)  =  r0(c)  for  all  i  =  0, . . .  ,p  —  1.  Theorem  3  thus 
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yields  the  probability  distribution  of  di(c)  as 

Pr [di(c)  =  <5]  =  7,7-0 (c)(l  -  ro(c))15  (3) 

for  S  =  0, . . .  ,p  —  1.  The  normalization  constant  y,  = 
l/r(c)  is  obtained  by  evaluating  the  finite  geometric 
sum  and  using  the  result  of  Theorem  2.  The  probability 
distribution  of  d,(c)  in  (3)  is  independent  of  i,  so  the 
distribution  of  d(c)  given  by  any  normalized  weighted 
sum  of  the  d,(c)  for  i  =  0,  ■  ■  ■  ,p  —  1  is  equal  to  the 
distribution  of  di(c).  □ 

To  complete  the  analysis  of  the  delay  metric,  we 
compute  the  expected  value  d(c)  of  the  delay  d(c)  for 
the  special  case  approached  in  Theorem  5.  We  note 
that  similar  techniques  can  be  applied  in  computing  the 
expected  delay  in  the  general  case. 

Theorem  6:  When  mi  =  m,  qi  =  q,  and  9i  =  9  for  all 
i  =  0, . . .  ,p  —  1,  the  expected  delay  d(c)  is  given  by 


Proof:  The  expected  value  d(c)  of  d(c)  is  obtained 
from  the  result  of  Theorem  5  using  the  properties  of  finite 
geometric  random  variables  [19].  □ 

The  results  obtained  in  this  section  can  thus  be  used  in 
the  design  of  control  channel  key  assignment  schemes, 
in  particular  to  balance  trade-offs  between  robustness 
to  control  channel  jamming  and  efficiency  in  terms  of 
key  storage  and  control  overhead.  These  trade-offs  in 
the  design  process  are  further  discussed  in  Section  6. 

5  Identification  of  Compromised  Users 

In  this  section,  we  formulate  a  statistical  estimation 
problem  for  the  identification  of  compromised  users 
by  the  TA,  constructing  a  set  C  of  suspected  jammers 
to  eliminate  from  the  network  with  no  knowledge  of 
the  number  of  compromised  users  c  =  \C\.  Due  to 
the  complexity  of  the  resulting  identification  problem, 
we  propose  two  algorithms,  collectively  referred  to  as 
GUIDE  (Greedy  User  IDEntification),  based  on  a  greedy 
heuristic  which  ranks  users  according  to  the  likelihood  of 
being  a  compromised  user.  Finally,  we  approximate  the 
estimation  error  resulting  from  the  GUIDE  algorithms. 

Throughout  this  section,  we  denote  the  parameter 
vector  (ICou ,  •  •  •  ,  ^(p—i)u )  ^ u ,  (^0 c  ,  •  •  •  ,  ^(p—i)c )  ICc , 

(Jo,  ■  ■  ■  ,Jp-i)  as  J,  and  (90,  ■  ■  . ,  9p-f)  as  0.  Further¬ 
more,  we  extend  the  use  of  logical  relations  and  set 
cardinalities  to  parameter  vectors  in  a  natural  way.  For 
example,  we  say  that  J  C  ICc  if  and  only  if  J,  C  K',;c  for 
i  =  0, . . .  ,p  -  1,  and  we  let  \J\  =  X)f=o  \J%\- 

The  information  available  to  the  TA  and  adversary 
during  the  attack  and  identification  process  are  illus¬ 
trated  in  Fig.  2.  The  parameter  Ku  is  known  to  the  TA 
for  all  u  €  U  and  to  the  adversary  only  for  u  €  C.  The 
evidence  J  C  ICc  is  known  to  the  TA  and  the  adversary, 
but  ICc  is  known  only  to  the  adversary.  The  problem  of 
identifying  the  set  C  of  jammers  is  first  formulated  as  a 
statistical  estimation  problem  in  which  the  TA  constructs 


Fig.  2.  The  information  available  to  the  TA  and  adversary 
during  the  attack  and  identification  process  is  illustrated. 
The  TA  has  knowledge  of  the  parameters  ICU  and  J  and 
uses  this  available  information  to  construct  an  estimate  C 
of  C.  The  adversary  has  knowledge  of  the^parameters  C, 
ICc,  0,  and  J.  The  dotted  line  from  0  to  C  indicates  that 
the  TA  may  or  may  not  know  0. 

an  estimate  C  of  C  as  a  function  of  the  known  parameters 
J  and  0.  When  0  =  1,  then  J  =  K-c  and  the  uncertainty 
in  the  identification  process  is  greatly  reduced.  This 
case  was  investigated  in  [1]  and  is  discussed  briefly.  In 
addition,  as  it  is  quite  likely  that  0  will  not  be  known  to 
the  TA,  we  vary  the  heuristic  for  the  case  of  unknown 
0. 

5.1  Identification  with  0  =  1 

When  0  =  1,  the  evidence  J  allows  the  TA  to  deter¬ 
ministically  know  ICc ■  Hence,  the  only  information  the 
adversary  has  that  the  TA  does  not  have  is  the  set  C. 
The  TA  can  thus  infer  that  any  user  u  £  U  holding  a 
key  hi  f  K'.,c  for  any  i  cannot  be  a  compromised  user. 
Hence,  any  user  u  such  that  ICU  C  ICc  is  identified  as  a 
compromised  user,  though  it  is  possible  that  users  are 
falsely  identified.  This  case  was  addressed  in  [1]  for  a 
similar  random  key  assignment  model  and  in  [7]  for 
certain  deterministic  key  assignment  schemes. 

5.2  Estimation  of  Compromised  User  Set  C 

We  formulate  the  jammer  identification  problem  us¬ 
ing  statistical  estimation  by  defining  the  probability 
Pv[C\J,  0]  that  C  is  the  set  of  compromised  users  re¬ 
sponsible  for  jamming  the  control  channels  indicated  by 
the  parameters  J  and  0.  The  estimate  which  maximizes 
the  probability  Pr[C|  J ,  0]  is  defined  as  follows. 

Definition  5:  The  maximum  a  posteriori  (MAP)  estimate 
[14]  C  of  the  set  C  of  compromised  users  is  given  by 

C  =  argmaxPr[C|  J ,  0]. 
ecu 

An  alternate  statistical  estimation  problem  can  be  for¬ 
mulated  by  defining  the  likelihood  function  Pr[Jr|C,  0] 
that  the  evidence  J  is  the  outcome  of  jamming  by  a 
given  set  of  compromised  users  C  and  parameter  0. 
The  estimate  which  maximizes  the  likelihood  function 
is  defined  as  follows. 
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Definition  6:  The  maximum  likelihood  (ML)  estimate  [14] 
C  of  the  set  C  of  compromised  users  is  given  by 

C  =  arg  max  Pv[J\C,  0] . 
ecu 

The  primary  difference  between  the  MAP  and  ML 
estimates  is  the  availability  of  prior  information  about 
the  set  C  being  estimated,  as  can  be  shown  using  Bayes' 
Theorem  [14].  Since  there  is  no  prior  information  avail¬ 
able  to  the  TA  about  C  and  all  users  are  equally  likely 
to  be  compromised,  the  MAP  and  ML  estimates  are 
equivalent  [14].  The  problem  of  estimating  C  can  thus 
be  formulated  with  respect  to  the  likelihood  function 
Pr[J\C,  0]  characterized  by  the  following  results. 

Theorem  7:  The  likelihood  function  Pr^lC,  0]  is  given 
by 

Pruic.e]  =  |ne“l(1  ««. 

[  0,  else 


Proof:  If  J  JCc ,  then  jamming  by  compromised 
users  C  could  not  lead  to  evidence  J .  Hence,  the  likeli¬ 
hood  function  is  non-zero  only  if  J  C  /Cc  •  By  assumption 
in  Section  2.2,  the  sets  Ji  for  i  =  (),...,  p  —  1  are  selected 
independently,  simplifying  the  likelihood  function  as 

p- 1 

Px[J\C,Q\  =  \{Pr[Ji\C,ei\.  (4) 

»= o 


The  dependence  of  J.,  on  C  is  in  the  form  of  the  set  tC,c 
of  keys  assigned  to  compromised  users.  The  likelihood 
Pr[C7i|C,  0,  \  is  thus  equal  to  the  probability  that  indepen¬ 
dent  selection  of  each  element  of  /Qc  with  probability 
0.,  yields  J, .  The  likelihood  function  Pr[j7i|C,  0,]  is  thus 
given  by 


Pr  [Ji\C,9i] 


0, 


if  Ji  C  KlC 
else 


□ 

In  the  case  that  0  is  a  constant  vector,  i.e.  9i  =  9  for  i  = 
0, . . .  ,p  —  1,  the  likelihood  Pr[J\C,  0]  can  be  simplified 
as  follows. 

Theorem  8:  If  6i  =  9  for  i  =  0, . . .  ,p—  1,  the  ML  estimate 
C  of  C  is  independent  of  0  and  given  by 


C  =  argmin  |/Cc|- 
ecu, 

JCKc 


Proof:  The  result  of  Theorem  7  applied  to  Defini¬ 
tion  6  with  0i  =  9  yields  the  estimate 


C 


=  arg  max 
ecu, 
JCKc 


p- 1 

Yle^fi-e) 

i—0 


\Mc\~\Ji\ 


=  arg  max 
ecu. 
JCKc 


6 

1  —  9 


I  J\ 


(1  —  6')|/Ccl. 


(6) 


GUIDE-0:  Greedy  Estimate  of  C 

Given:  J,  0 

C  4-  0 

while  J  /Cp  do 

u*  <—  argmaxr(rt|c7,  0) 

uC  U\C 

C^CU{u*} 

end  while 

Fig.  3.  Jhe  algorithm  GUIDE-0  constructs  a  greedy 
estimate  C  of  the  set  C  of  compromised  users  using  the 
jamming  evidence  J  and  parameter  0. 


9  and  J  are  fixed  parameters  in  the  estimation,  so  the 
first  term  in  (6)  is  constant  and  can  be  eliminated  from 
the  problem.  Since  0  <  (1—9)  <  1  and  |/Cc|  is  non¬ 
negative,  the  maximum  is  achieved  when  the  exponent 
is  minimized,  yielding  the  desired  result  independent  of 
0.  □ 

We  note  that,  even  in  the  simplified  case  in  Theorem  8, 
the  computation  of  the  ML  estimate  C  of  C  according  to 
Definition  6  requires  an  exhaustive  search  through  the 
space  of  2U  —  1  subsets  of  U,  as  every  subset  C  CU  must 
be  considered  in  computing  the  arg  max  and  argmin 
functions.  Hence,  the  computation  of  an  estimate  C  using 
maximum  likelihood  estimation  is  likely  computation¬ 
ally  infeasible,  unlike  maximum  likelihood  estimation 
of  continuous  parameters  (e.g.  Gaussian  noise).  We  thus 
shift  our  attention  to  the  use  of  heuristics  to  estimate  C. 

5.3  Greedy  Identification  of  Jammers  -  0  Known 

Instead  of  basing  the  identification  of  jammers  on  the 
probability  Pr[C|  J,  0]  over  subsets  of  U ,  we  base  the 
identification  on  the  probability  Y(u\J,  0)  that  a  user 
u  £  U  is  a  compromised  user  in  C.  This  heuristic  reduces 
the  set  estimation  problem  to  a  set  membership  estima¬ 
tion  problem.  We  refer  to  the  identification  algorithm  as 
GUIDE,  for  the  Greedy  User  IDEntification  algorithm 
and  first  address  the  case  when  0  is  known  to  the  TA. 
In  this  case,  the  TA  uses  a  greedy  algorithm  to  construct 
C  by  adding  users  in  decreasing  order  of  probability 
r(«|J,0)  until  C  satisfies  the  condition  J  C  /Cp.  This 
GUIDE-0  algorithm  is  given  in  Fig.  3.  We  note  that  ties 
can  be  broken  arbitrarily  in  the  arg  max  function,  though 
it  is  also  possible  that  the  arg  max  function  can  choose 
an  entire  subset  of  users  to  add  to  C.  This  technique  and 
its  implications  are  not  addressed  in  this  article. 

The  probability  T(u\J,  0)  for  each  u  G  lA  is  computed 
independent  of  other  users  in  U.  In  order  to  compute 
the  desired  probability,  we  define  the  vector  random 
variable  Su  =  (S0u, S{p_1)u)  where  Siu  =  \Kiu  n  Jf\ 
for  fixed  K,lu  and  unknown  or  random  J, .  For  fixed 
parameter  9-u  we  let  Pc,i(siU)  denote  the  probability  that 
(Aju  —  s  -I,,  given  that  u  G  C  and  Pu\c,i(siu.)  denote  the 
similar  probability  for  u  £  U  \C.  We  further  let  Pc(su) 
and  Pu\c(su )  denote  the  corresponding  probabilities  that 
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Su  =  su  for  a  given  vector  su  =  (s0u,  ■  ■  ■ ,  S(p-i)u)  and 
fixed  0. 

Lemma  2:  The  probability  T(w|  J ,  0)  can  be  expressed 


as 


I W,0) 


p-1 

JJ  Pc,i(Siu) 

_ i= 0 _ 

p—  1  p—  1 

Pc,i(siu)  +  Pu\C,i(Siu) 
i— 0  i— 0 


Proof:  The  keys  in  J,:  for  each  time  slot  i  that 
influence  the  probability  T(u\J,  0)  are  only  those  keys 
in  JCiU  D  Ji  held  by  u.  Since  keys  are  assigned  inde¬ 
pendently  and  randomly,  identification  of  compromised 
nodes  depends  only  on  the  number  of  keys  SiU  and  not 
on  the  specific  keys  used,  so  Y{u\J,  0)  =  T(u|su,0). 
Using  Bayes'  Theorem  [14]  and  noting  that  the  event 
that  u  £  C  is  independent  of  the  parameter  0,  we  can 
express  the  probability  T(u|s„,0)  as 


T(u|s„,0) 


_ Pc(su)  Pr[u  £  C\ _ 

Pc(su)  Pr[u  €  C\  +  Pu\c{su )  Pr[u  f  C] ' 


(7) 


Since  the  TA  has  no  prior  information  about  C,  every  user 
is  equally  likely  to  be  compromised,  and  each  possible 
non-empty  set  C  is  equally  likely.  This  implies  that  the 
events  u  £  C  and  u  (f-_  C  are  equally  likely,  so  the 
corresponding  factors  in  (7)  cancel.  Independence  of  the 
key  assignment  in  different  time  slots  implies  that  the 
probabilities  Pc{su)  and  Pu\c{su)  can  be  factored  as 


p- 1 

Pc(su)  =  ]^[  Pc,i(siu)  (8) 

»= 0 
P-1 

Pu\c{su)  =  W_Pu\C,i{Siu)i  (9) 

i= 0 

yielding  the  desired  result.  □ 

To  complete  the  evaluation  necessary  to  perform  the 
GUIDE-0  algorithm  to  construct  the  estimate  C,  we  pro¬ 
vide  the  following  lemma  to  evaluate  the  probabilities 

Pe,i(s)  and  Pu\cAs )• 

Lemma  3:  The  probabilities  Pc,i(s)  and  Pu\cAs)  are 
given  by 


pc,i(A=(mjytA-Oi) 


where  PitC(s)  is  approximated  by  Lemma  1. 

Proof:  When  a  €  C,  is  a  compromised  user,  each  key 
in  ICiu  appears  in  the  set  Jlr  and  hence  in  the  set  K,lu  fi 
independently  with  probability  (),,  yielding 


probability  Pi,c(s)  approximated  by  Lemma  1.  Since  the 
TA  has  no  prior  information  about  C,  all  non-empty 
subsets  of  U  \  { a }  are  assumed  to  be  equally  likely,  so 
Pr[|C|  =  c\u  fC\  =  21-C/(!7“1).  □ 


5.4  Greedy  Identification  of  Jammers  -  0  Unknown 

When  the  parameter  0  is  unknown  to  the  TA,  the 
GUIDE-0  algorithm  cannot  be  used,  as  the  probability 
V(u\J ,  0)  cannot  be  computed.  Though  it  may  be  pos¬ 
sible  to  construct  an  estimate  0  of  0,  we  instead  sug¬ 
gest  replacing  the  probability  T{u\J,  0)  by  the  alternate 
selection  metric  ku  =  ^or  each  user  u  £  U. 

This  choice  of  selection  metric  is  intuitive  as  users  with 
larger  portions  of  the  set  of  jamming  evidence  J  should 
be  more  likely  to  appear  as  compromised  users  in  C. 
The  following  result  qualifies  this  replacement  as  the 
selection  metric. 

Theorem  9:  The  addition  of  users  to  C  according  to 
the  variables  ku  for  u  £  U  approximates  the  addition 
of  users  to  C  according  to  the  probabilities  V(u\J ,  Oj. 
Furthermore,  if  qt  =  q,  rrii  =  m,  6t  =  6,  and  c  is  known, 
the  ordering  of  U  for  the  two  sets  of  quantities  is  identical 
up  to  permutation  of  equal-valued  users. 

Proof:  From  Lemma  2  and  Lemma  3  with  SiU  =  \ICiUn 
Ji\  and  \C\  =  c  known,  r(u|J\  0)  is  given  by 


r(«|j,0)  =  (i  +  n<c  (  — 


P”1  '1-04% 


P-1 


~  ( i + a  n  $ 


(ii) 


2=0 


where  a  and  ff  are  given  by 


j-j  ( 1  _  diZz,c 


i—0 


1  - 


Pi  =  —J  6 


zif  -  d  > 


When  Pi  =  P  for  all*  =  0, ...  ,p—  1,  as  in  the  special  case 
of  rrii  =  to,  qt  =  q,  and  9i  =  6  for  allf  =  0, . . .  ,p  —  1,  (11) 
can  be  simplified  to 

T(u\J,Q)  =  (l  +  ap-^y1  ■  (12) 


The  expression  in  (12)  is  a  monotone  increasing  function 
of  nu/  yielding  the  desired  implication.  □ 

The  result  of  Theorem  9  suggests  that  an  alternative  to 
the  GUIDE-0  algorithm  in  Fig.  3  is  given  by  the  GUIDE- 
k  algorithm  in  Fig.  4.  Moreover,  the  simplified  GUIDE- 
k  algorithm  in  Fig.  4  may  be  a  suitable  alternative  to 
GUIDE-0  even  if  0  is  known,  as  the  required  computa¬ 
tion  is  greatly  reduced. 


pcm  =  (io) 

When  u  f.  C,  the  desired  probability  is  the  probability 
that  | ICiu  n  Ji\  =  s  given  u  £  U  \C.  Conditioning 
this  probability  on  the  event  that  \C\  =  c  yields  the 


5.5  Error  in  Identification  of  Compromised  Users 

In  order  to  evaluate  the  heuristic  estimation  problem  for¬ 
mulated  for  the  identification  of  compromised  users  by 
the  TA,  we  provide  the  following  metrics  of  estimation 
error. 
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GUIDE-re:  Greedy  Estimate  of  C 

Given:  J 

C  *-  0 

while  J  <£.  /Cp  do 

u*  <—  arg  max  ku 

ueu\C 

C  <-CU  {w*} 

end  while 

Fig.  4.  The  algorithm  GUIDE-k  constructs  a  greedy 
estimate  C  of  the  set  C  of  compromised  users  using  the 
jamming  evidence  J  and  can  be  used  when  0  is  unknown 
to  the  TA. 

Definition  7:  The  false  alarm  rate  T{c)  is  the  average 
fraction  of  jamming  suspects  in  C  which  are  not  com¬ 
promised  users  in  C  when  \C\  =  c. 

Definition  8:  The  miss  rate  M  (c)  is  the  average  fraction 
of  compromised  users  in  C  which  do  not  appear  as 
jamming  suspects  in  C  when  \C\  =  c. 

The  false  alarm  and  miss  rates  in  Definitions  7  and 
8  are  approximated  using  the  following  sequence  of 
results.  For  added  clarity,  the  estimation  error  is  ap¬ 
proximated  with  respect  to  the  GUIDE-k  algorithm  in 
Fig.  4  using  the  quantities  ku  instead  of  the  GUIDE-0 
algorithm  in  Fig.  3  using  the  probabilities  T{u\J,  0).  We 
partition  the  set  of  random  variables  nu  to  distinguish 
between  the  compromised  users  in  C  and  the  remaining 
users  in  U\C.  The  nth  largest  ku  values  of  users  in  C,  U\C, 
and  U  are  respectively  denoted  n/f'1,  k^c,  and  \  For 
clarity,  let  k^c  =  =  k ^  =  oo  for  n  =  0,  =  0  for 

n  >  c,  =  0  for  n  >  U—c,  and  =  0  for  n  >  U.  The 
following  lemma  characterizes  the  distributions  of  the 
random  variables  nu  and  K<n>,  and  a  proof  is  provided 
in  the  Appendix. 

Lemma  4:  For  A  e  {C,U,U  \  C},  the  probability 
4>  4^(k|c)  =  Pr  >  k  |  |C|  =  c  is  computed  as 

|_A| 

$a}(kIc)  =  X!  (!  “  $u(k|c))|A|_j  , 

j=n  '  3  ' 

from  the  probabilities  4>n(«:|c)  =  Pr  [ka  >  k  \  \C\  =  c] 
given  by 

$c(«|c)  =  ^2  (Pc, o  *  •  •  •  *  Pc,p- 1)  (k) 

k>K 

$«\c(Klc)  =  ^2  (p°-c  *  ' ' '  *  Pp- i,c)  0) 

k>K 

C  U  —  C 

®u(k\c)  =  — 4>c(k|c)  +  — —®u\c(k\c) 

where  p,:C  is  the  probability  distribution  given  by 
Lemma  1,  Pep  is  the  probability  distribution  given  by 
Lemma  3,  and  ^  is  the  convolution  operator  for  discrete 
probability  distributions. 

We  note  that  when  |C|  =  c  users  appear  as  jamming 
suspects  with  \C\  =  c  compromised  users,  the  number 


of  falsely  accused  users  F  =  \C\C\  and  missed  com¬ 
promised  users  M  =  \C  \  C|  satisfy  c  =  c  —  M  +  F. 
Hence,  the  false  alarm  and  miss  rates  for  fixed  c  are 
approximated  by  estimating  the  distribution  of  c  given  c 
and  the  distribution  of  F  given  c  and  c.  The  probability 
p(c\c)  =  Pr  |C|  =  c  \C\  =  c  is  first  estimated  using  the 
following  result,  a  proof  of  which  can  be  found  in  the 
Appendix. 

Lemma  5:  The  probability  distribution  p(c\c)  of  |C| 
given  |C|  is  approximated  as 

/~i  \  \  '  n  /  7  \  Qj,c(J,  c)  —  Qj,c(J,  &  ~  1) 

p(c  c)  «  2_^  Pj(J^c) - - - -r - Ty0 - 77 - 

j  l  -  Qj,c(J,c-  1) 

where  Qj,c(L,  c)  and  Pj(J,c)  are  defined  recursively  as 


QJiC(L,c)=Yj(*{u\k  |c) 


-  ®)V(k  +  1\c 


^  ^  VnQj,c(,L  Tl,C  1), 


L  —  n\  (  L  —  n 


Pj(J,c )  =  ( P°j(;c )  *  •  •  •  *  Ppj-\;c))  (J), 

Pj(Juc)  =  J2  Q)^(l  -0i)k-J'Pk{k,c), 

mi 

Pjc(k ,  c)  =  ^2  T^pk(k  -n,c-  1), 


k  —  n\  (  k  —  n 


where  *  is  the  convolution  operator  for  discrete  proba¬ 
bility  distributions. 

The  probability  distribution  p(F\c,c)  = 
Pr  \C\C\  =  F  \C\  =  c,  \C\  =  c  ,  characterizing  the 
behavior  of  both  F  and  M,  is  estimated  using  the 
following  result,  a  proof  of  which  can  be  found  in  the 
Appendix. 

Lemma  6:  The  probability  distribution  p(F\c,  c)  of  the 
number  of  falsely  accused  users  given  \C\  and  \C\  is 
approximated  as 


p(F\c,C)  «  J]  min  1,^_f)SK1!C? 

K  1.K2  \  («2|  C) 


x  min  1 


$L\c(k2|c) 

$Sc(«ilc) 


x  (4a-F+i)(K2|C)-$r^i;(«2+ii^ 

Theorem  10:  The  false  alarm  rate  T(c)  is  given  by 


c—F +1)  , 
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where  p(c|c)  is  approximated  by  Lemma  5  and  p(F\c,c) 
is  approximated  by  Lemma  6. 

Proof:  Letting  £[x\  denote  the  expected  value  of  x, 
Definition  7  suggests  that 


F(c)  =£ 


|C\C| 


\C\ 

=  ^2p(c\c)£ 


C=  1 

U 


\C\=c 

'\C\C\ 

\C\ 


\C\  =  c,  \C\  =  c 


(13) 

(14) 

(15) 


C=1 


F= 0 


Theorem  11:  The  miss  rate  M(c)  is  given  by 


□ 


M{c)  =  -^p(c|c)  ^(c  +  F-c)p(F|c,c), 

c  6=1  F=0 


where  p(c|c)  is  approximated  by  Lemma  5  and  p(F\c,c) 
is  approximated  by  Lemma  6. 

Proof:  This  result  follows  from  Theorem  10  and  the 
relationship  c  =  c  —  M  +  F.  □ 


6  Numerical  Illustration  and  Design 

In  this  section,  we  provide  simulation  results  to  illustrate 
design  trade-offs,  providing  a  basis  for  parameter  selec¬ 
tion  in  design  of  the  system.  We  evaluate  the  metrics 
derived  in  Section  4  and  5  and  discuss  the  effect  of 
varying  individual  design  parameters.  We  simulate  the 
long-term  performance  of  the  system  as  a  function  of  the 
identification  interval  of  the  TA  as  defined  in  Section  2.3. 


6.1  Simulation  Setup 

We  simulate  a  network  of  U  =  250  users  with  varying 
parameter  values  of  p,  rn,t,  and  qt  with  the  jamming 
probability  0i  =  0.9.  For  each  set  of  parameters  p,  nii,  and 
q,,  we  randomly  assign  p  sets  of  m ,  control  channel  keys 
to  each  user  from  the  p  sets  of  q,  keys.  For  each  value  of  c, 
the  subset  C  is  randomly  selected  from  the  set  of  users  U, 
and  the  subsets  Ji  of  keys  used  for  jamming  are  selected 
randomly  using  the  parameter  9t.  For  each  subset  C  of 
size  c,  the  resilience  r(c)  is  computed  as  the  fraction 
of  the  \U  \  C\  remaining  users  that  can  access  at  least 
one  control  channel.  Similarly,  the  average  delay  d(c), 
false  alarm  rate  F{c),  and  miss  rate  _A4(c)  are  computed 
using  the  GUIDE-0  algorithm  based  on  the  assigned 
keys,  jammed  control  channels,  and  compromised  users. 
Each  data  point  in  our  simulation  reflects  an  average 
over  100  simulated  network  and  random  key  assignment 
instances.  The  results  of  the  simulation  study  are  illus¬ 
trated  in  Figure  5  for  four  parameter  sets.  The  solid  and 
dashed  lines  in  each  plot  represent  the  analytical  results 
derived  in  Sections  4  and  5,  and  the  symbol-marked 
points  represent  the  results  of  the  simulation  study.  As 
can  be  seen  from  Figure  5,  the  analytical  results  for 
the  resilience  r(c)  and  the  average  delay  d(c)  coincide. 


While  the  analytical  and  simulation  results  for  the  false 
alarm  rate  F{c)  and  the  miss  rate  M(c)  disagree  at 
individual  values  of  c,  the  analytical  results  provide  a 
reasonable  approximation  of  the  error  behavior  that  can 
be  expected. 

6.2  Trade-offs  in  Key  Assignment  Parameters 

We  next  identify  and  discuss  design  trade-offs  in  key 
assignment  parameters  by  investigating  the  impact  of 
individual  parameters  using  the  proposed  evaluation 
metrics.  We  compare  resource  trade-offs  with  respect  to 
the  required  key  storage  ffffl  iri,  for  users  in  U  and 
JfU  F.  for  base  stations  in  B.  We  note  that  since  each 
key  corresponds  to  a  unique  control  channel,  the  com¬ 
munication  overhead  for  base  stations  is  proportional  to 
the  base  station  key  storage. 

6.2. 1  Time  Slots  per  Reuse  Period  p 

We  first  investigate  the  impact  of  varying  the  reuse  pe¬ 
riod  p.  Intuitively,  increasing  the  number  of  assigned  key 
sets  p  increases  the  disparity  of  assigned  keys  between 
valid  and  compromised  users,  increasing  the  overall 
robustness  to  attacks.  In  terms  of  resilience,  illustrated 
in  Fig.  5(a),  the  results  of  Theorems  1  and  4  validate  this 
intuition,  as  the  complement  (1  —  r(c))  of  the  resilience 
is  a  product  of  p  probability  terms.  Flowever,  we  note 
that  key  storage  at  each  user  and  base  station  increases 
linearly  with  p.  In  addition,  the  average  delay  increases 
linearly  with  p,  as  seen  in  Theorem  6  and  Fig.  5(b).  As 
seen  in  Fig.  5(c)  and  5(d),  increasing  p  slightly  improves 
the  false  alarm  and  miss  rates.  The  effect  of  varying  p  is 
illustrated  by  comparing  the  results  in  Fig.  5  for  p  =  4, 
TO*  =  4,  and  q,;  =  20  to  those  of  p  =  8,  m,;  =  4,  and 
Qi  =20. 

6.2.2  Control  Channels  per  Time  Slot  q, 

We  next  investigate  the  impact  of  varying  the  number 
of  control  channels  q,  in  each  time  slot  i.  Increasing  the 
number  of  channels  implies  that  users  share  fewer  keys 
on  average,  leading  to  an  improvement  in  robustness  to 
attacks.  The  results  of  Theorems  1  and  4  illustrate  an 
inverse  dependence  on  each  parameter  q,,  suggesting 
that  resilience  and  delay  improve  as  q,  increases,  as 
seen  in  Fig.  5(a)  and  5(b).  Similarly,  the  identification 
capabilities  of  the  TA  improve  with  increasing  q,  for 
small  c  because  users  are  less  likely  to  share  keys,  as  seen 
in  Fig.  5(c)  and  5(d).  However,  key  storage  at  each  base 
station  increases  linearly  with  q, .  The  effect  of  varying 
q,:  is  illustrated  by  comparing  the  results  in  Fig.  5  for 
p  =  4,  rrii  =  4,  and  q.;  =  20  to  those  of  p  =  4,  m,  =  4,  and 
qi  =  40. 

6.2.3  Control  Channel  Keys  per  User  per  Time  Slot  m* 
We  next  investigate  the  impact  of  varying  the  number 
of  control  channel  keys  m,;  assigned  to  each  user  in  time 
slot  i.  Increasing  m,  implies  that  users  share  more  keys 
on  average.  However,  the  parameter  m,  also  appears 
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Resilience  to  Control  Channel  J  amming  for  U  =250,  0  =0. 


(a) 


Delay  Due  to  Control  Channel  J  amming  for  U=250,  9.  =  0.1 


(b) 


Identification  False  Alarm  Rate  forU=250,  9.  =0.90 

I 


Identification  Miss  Rate  forU=250,  9.  =0.90 

I 


(C) 


(d) 


Fig.  5.  Variations  in  the  (a)  resilience  r(c),  (b)  expected  delay  d(c),  (c)  false  alarm  rate  T(c),  and  (d)  miss  rate  M{c) 
are  illustrated  for  a  network  of  U  =  250  users  with  varying  parameter  values  of  p,  m»,  and  &  and  a  jamming  parameter 
of  0i  =  0.9  using  GUIDE-0.  Solid  and  dashed  lines  represent  analytical  results  derived  in  Sections  4  and  5,  and 
symbol-marked  points  represent  the  simulated  results  averaged  over  100  simulated  network  instances. 


as  an  exponential  term  in  the  slot  resilience  given  by 
Theorem  1.  Hence,  the  effect  of  varying  to,;  depends  on 
the  values  of  the  parameters  p  and  q,,  suggesting  that 
there  exist  various  trade-offs  in  varying  to,;.  The  effect 
of  varying  m,;  is  illustrated  by  comparing  the  results  in 
Fig.  5  for  p  =  4,  m,;  =  2,  and  y,:  =  20  to  those  of  p  =  4, 
to,;  =  4,  and  </,;  =  20. 

6.2.4  Control  Channels  per  Time  Slot  q,  and  per  User 

TO,; 

We  note  that  a  constant  increase  in  both  to,  and  <7,;  allows 
the  designer  to  take  advantage  of  the  increased  exponent 
to,  in  the  slot  resilience  given  by  Theorem  1  without 
increasing  the  ratio  to,;/ <7,;.  Hence,  increasing  key  storage 
at  users  and  base  stations  by  a  constant  leads  to  an 
improvement  in  resilience.  The  effect  of  jointly  varying 
(7,;  and  to,  is  illustrated  by  comparing  the  results  in  Fig.  5 
for  p  =  4,  to,  =  2,  and  <7,  =  20  to  those  of  p  =  4,  to,;  =  4, 
and  (7,;  =  40. 

6.3  Trade-offs  in  Identification  Interval  of  the  TA 

As  illustrated  in  Figs.  5(c)  and  5(d),  the  false  alarm  rate 
tF(c)  and  miss  rate  A 1(c)  are  increasing  functions  of  c 


when  c  is  small.  The  performance  of  the  identification 
process  is  thus  improved  if  the  TA  can  identify  and 
eliminate  the  compromised  users  in  the  network  when 
there  are  relatively  few  of  them.  Hence,  by  reducing  the 
length  of  the  identification  interval  and  sampling  the 
system  more  frequently,  the  TA  can  achieve  decreased 
false  alarm  and  miss  rates.  However,  this  performance 
gain  comes  with  a  necessary  increase  in  computation  and 
communication  overhead  for  the  TA  due  to  the  increased 
rate  of  collection  of  jamming  evidence  J ,  execution 
of  the  GUIDE  algorithm,  and  update  of  fresh  control 
channel  keys  to  remaining  users. 

Fig.  6  illustrates  the  effect  of  the  identification  interval 
on  the  time-varying  number  of  compromised  users  in 
the  system  using  the  following  simulation  setup.  A  new 
user  is  added  to  the  network  whenever  a  user  is  revoked, 
so  the  total  number  of  users  U  remains  constant.  After 
each  key  reuse  period  of  p  time  slots,  a  user  in  U\C 
is  randomly  selected  and  added  to  C  with  probability 
0.4.  The  identification  rate  determines  the  frequency  with 
which  the  TA  collects  jamming  evidence  J  and  executes 
the  GUIDE  algorithm.  Fig.  6  plots  the  normalized  his¬ 
togram  of  the  number  of  compromised  users  after  each 
key  reuse  period  to  illustrate  the  long-term  average  of 
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Presence  of  Compromised  Users  in  the  System 


(a) 


Number  of  Compromised  Users 

(b) 


Presence  of  Compromised  Users  in  the  System 


(c) 


Fig.  6.  Identification  of  compromised  users  is  simulated  using  the  GUIDE-k  algorithm  with  an  adversary  compromising 
users  over  an  extended  duration.  Each  figure  plots  the  normalized  histogram  of  the  fraction  of  1000  key  reuse  periods 
with  a  given  number  of  compromised  users  present  in  the  network.  The  system  parameters  are  chosen  as  p  =  4, 
mi  =  4,  and  r/i  =  20,  and  the  jamming  parameter  is  chosen  as  0  =  0.9.  The  average  identification  interval  is  chosen 
as  (a)  5,  (b),  10,  and  (c)  20  key  reuse  periods. 


the  number  of  compromised  users  in  the  system.  The 
average  identification  interval,  equal  to  the  inverse  of 
the  identification  rate,  is  chosen  as  5  periods  in  Fig.  6(a), 
10  periods  in  Fig.  6(b),  and  20  periods  in  Fig.  6(c).  As 
illustrated,  the  number  of  compromised  users  tends  to 
increase  as  the  identification  interval  increases,  eventu¬ 
ally  leading  to  cascading  system  failure  where  a  majority 
of  the  users  in  the  network  are  compromised. 


7  Conclusion 

In  this  article,  we  addressed  the  mitigation  of  control 
channel  jamming  by  malicious  colluding  insiders  and 
compromised  system  users  as  well  as  the  identifica¬ 
tion  of  compromised  users  without  prior  knowledge  of 
the  number  of  compromised  users  in  the  system.  We 
mapped  the  problem  of  control  channel  access  that  is 
robust  to  jamming  by  compromised  users  to  the  prob¬ 
lem  of  secure  key  establishment  under  node  capture 
attacks.  Based  on  the  mapping,  we  proposed  a  frame¬ 
work  for  control  channel  access  schemes  using  random 
key  assignment.  We  proposed  and  evaluated  metrics  for 
resilience  and  delay  which  quantify  the  availability  of 
control  messages  under  control  channel  jamming  attacks 
and  demonstrated  that  the  use  of  random  key  assign¬ 
ment  provides  graceful  degradation  in  availability  as  the 
number  of  compromised  users  increases.  We  formulated 
the  identification  of  compromised  users  in  the  system 
as  a  maximum  likelihood  estimation  problem  and  pro¬ 
posed  the  GUIDE  algorithms  using  greedy  heuristics 
for  jammer  identification.  We  provided  an  analytical 
approximation  to  evaluate  the  false  alarm  and  miss  rates 
in  the  identification  of  compromised  users  resulting  from 
the  GUIDE  algorithms.  We  discussed  design  trade-offs 
in  the  key  assignment  parameters  and  the  identification 
interval  used  by  the  TA.  In  future  work,  we  will  inves¬ 
tigate  modifications  to  the  adversary's  jamming  strategy 
and  the  effect  on  the  availability  of  control  messages  and 
the  ability  to  identify  compromised  users. 


Appendix 

Proof  of  Lemma  4:  For  each  A  e  {0,1AM  \  C},  the 
derivation  of  <F^(k|c)  from  $^(k|c)  follows  directly 
using  order  statistics  [20]  by  noticing  that  at  least  n  of  the 
\A\  independent  events  are  successful,  and  the  success  of 
each  event  occurs  with  probability  $>i(k|c).  When  u  £  C, 
the  probability  >1>c(k|c)  is  the  summation  over  k  >  k 
of  the  probability  that  ku  =  k.  Since  ku  =  YZ/Z, o  siu>  the 
probability  that  kv  =  k  is  given  by  the  p-fold  convolution 
evaluated  at  k  of  the  probability  distributions  Pc/,  given 
by  Lemma  3.  When  u  £  U  \  C,  the  corresponding 
probability  is  similarly  given  by  the  p-fold  convolution 
evaluated  at  k  of  probability  distributions  p,;jC  given  by 
Lemma  1.  The  probability  <&u{n\c)  is  computed  using  the 
law  of  total  probability  and  the  fact  that  Pr[u  €  C\  =  c/U 
and  Pr[it  £  U  \  C\  =  {U  —  c)/U.  □ 

Proof  of  Lemma  5:  The  probability  p(c|c)  is  computed 
as  the  probability  that  the  greedy  algorithm  stops  after 
adding  c  users  to  C  when  \C\  =  c.  This  is  thus  equivalent 
to  the  probability  that  |Aq?n*7|  =  1*71  when  |C|  =  c  given 
that  |/Cp,  ,  ,  n*7  <  |*7  and  u  £U  is  the  cth  user  added  to 

C.  We  condition  on  the  event  that  \J\  =  YZiZo  \Zi  —  7. 
Letting  Pj(Ji,c )  denote  the  probability  that  |*7;|  =  Ji, 
the  probability  Pj(J,c)  that  |*7|  =  J  is  equal  to  the 
p-fold  convolution  evaluated  at  J  of  the  probability 
distributions  Pj(-,c).  The  probability  Pf(J,,  c)  is  equal 
to  the  summation  over  all  k  >  Ji  of  the  probability 
that  \ICic\  =  k  multiplied  by  the  probability  that  ./,  of 
the  k  compromised  keys  are  used  for  jamming,  equal  to 
(jJOf1  (l  —  9i)k~Ji .  The  probability  Pf(k,c)  that  |/Qc|  =  k 
is  computed  recursively  by  counting  the  number  of  new 
keys  recovered  from  each  compromised  user.  Given  that 
the  first  (c  —  1)  compromised  users  had  ( k  —  n)  of  the 
qi  keys  in  IQ,  the  probability  that  the  keys  held 
by  the  cth  compromised  user  contain  n  new  keys  is 

1  —  -yp2-)  ( TrW  •  The  remaining  probability 

of  interest,  denoted  p(c\c-  7),  is  thus  the  probability  that 
| /Cp  n  *7|  =  7  when  |C|  =  c  given  that  ^  n  *7|  <  7 
and  |  *7 1  =  7.  To  compute  this  probability,  we  define 
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QjtC(L,c )  as  the  probability  that  |/C~  n  J\  =  L  given 
\J\  =  J,  \C\  =  c,  and  \C\  =  c.  If  we  next  condition  on 
the  event  that  =  ft,  summing  over  k  with  weight 
$^(ft|c)  —  $^(/v  +  l|c),  this  probability  can  be  computed 
recursively  in  a  similar  way  to  that  of  Pf(k,c)  above. 
Given  that  the  first  (c  —  1)  identified  users  had  [L  —  n) 
of  the  J  keys  in  J ,  the  probability  that  the  n  keys 
held  by  the  cth  identified  user  contain  n  new  keys  is 
(«)  (l  ~  "  ■  Since  the  desired  probability 

p(c|c,  J)  is  conditional  on  the  event  that  < 

and  the  probability  Qj,c(J,  c)  is  not,  conditional  proba¬ 
bility  yields  the  desired  result.  □ 

Proof  of  Lemma  6:  Given  \C\  =  c  and  |C|  =  c,  the  event 
that  F  users  in  U\C  appear  in  C  is  exactly  the  intersection 
of  the  events  and  k^c  >  k^c~f+1K  The 

probability  p(F\c,  c)  is  thus  the  probability  that  both  of 
these  events  occur.  The  desired  probability  is  evaluated 
by  conditioning  on  the  independent  events  ft^t 1  !  =  «i 
and  nlf~F+1'>  =  ft'2 ■  Combining  these  conditions  with  the 
inequalities  >  ft^i+p  for  A  £  {C,U  \  C}  yields  the 
probability  p{F  |  c,  c)  as 

p(F\c,  c )  =  Pr  F')  >  K i  tiff  F%>  >  ft2 

«1,«2 

X  Pr  [«W\C  ^  K2  4?C  ^ 

X*£+1\K1\c)<t>tF+1\K2\c),  (16) 

noting  that  all  of  the  probabilities  involved  are  con¬ 
ditional  probabilities  given  |C|  =  c.  The  first  prob¬ 
ability  term  in  (16)  is  1  when  ft2  >  fti  and 
^-^(ftilc)/^  F'*(ft2|c)  otherwise.  Similarly,  the  sec¬ 
ond  probability  term  in  (16)  is  1  when  n\  >  ft  2  and 

®LAc(K2lc)/<I>Li\c(Kllc)  otherwise.  □ 
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